Did Angler Exploit Kit Die With Russian Lurk Arrests?

Researchers have recently noted a large scale switch from the Angler exploit kit (EK) to the Neutrino exploit kit. Last Wednesday SANS ISC noted that CryptXXX ransomware was now being delivered by the Neutrino EK. "Until then, I'd only seen Angler EK distribute CryptXXX," reported Brad Duncan.

On Friday Malwarebytes reported that malvertising campaigns it had earlier described as using fingerprinting to evade detection "are still going on but rather than using Angler EK to infect victims, we see the Neutrino exploit kit instead."

Angler first appeared in late 2013. By spring 2014 it had equaled the currently most popular EK, Nuclear; and by late 2014 it had become the most popular EK in use. By spring of last year it represented 82% of all EK activity (figures from Sophos). At that point, Neutrino activity was barely visible.

(Image Credit: F-Secure)

This has reversed, with Angler no longer prevalent – nor even visible, and Neutrino dominant. While criminal switching between exploit kits is not unknown, this seems to be different.

French researcher Kafeine has seen the same. Angler, he notes, "has totally vanished on June 7th." One possibility was that the Angler gang were taking their annual vacation – seriously, organized crime is that organized these days. But an ongoing malvertising campaign from SadClowns had switched to Neutrino. And confirmation came when he also saw the CryptXXX switch to Neutrino. The CryptXXX actors had used Angler exclusively, and had even synchronized their own vacation with Angler's January timeline.

The question is whether this is a temporary blip or a permanent demise. It is similar to the sudden decline of the Blackhole EK in 2013. Like Angler, Blackhole had been the exploit kit of choice among cyber criminals. But following the arrest of its author, Dmitry Fedotov aka Paunch, in late 2013, its usage plummeted. (Fedotov was sentenced to seven years in prison by a Russian court earlier this year.)

The similarity Blackhole and Angler has prompted researchers to wonder if the Angler gang have also been arrested. Indeed, one security industry source told SecurityWeek he had heard of imminent likely action against the gang, but had no further details. More specifically, however, researchers are looking at the recent 50 arrests in Russia that were publicly associated with users of the Lurk malware within the last two weeks.

There is certainly a link between Lurk and Angler. Kafeine comments, "With the recent 50 arrests tied to Lurk in mind and knowing the infection vector for Lurk was the 'Indexm' variant of Angler between 2012 and beginning of 2016...we might think there is a connection and that some actors are stepping back."

What isn't clear is whether the Angler gang fear that some among the fifty arrests might implicate them personally and are currently keeping a low profile; or whether the same people are behind both sets of malware. F-Secure security advisor Sean Sullivan told SecurityWeek, Kafeine's analysis "suggests disruption in Angler’s infrastructure. It wouldn’t be the first time an exploit kit has died due to law enforcement (Blackhole). Hopefully it won’t be the last."

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.